CTFtime.org

(PRO 3) File Uploader

by PenGenKiddy / tmtz

Tags: pro positivetechnologies docx writeup 

Rating: 1.0

  1. Try to upload file some file with `debug=1` parametr (Uncomment line in html)
  2. We see `Parsing docx error`
  3. Create empty docx file, name him `test.docx`
  4. Open docx file with 7-zip 
  5. Open `[Content_Types].xml`, this`s xml file
  6. When you see xml file, you should think `Hmm, may be XXE vulnerability?`
  7. Now, use google for search all about XXE (XML ENTITY) (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
  8. Try to watch file `/var/www/html/index.php` with SYSTEM ENTITY AND PHP I/O and XXE vuln
  9. Inject in script your ENTITY (Change `yoursite` to url to your site (or link to file on file hosting))
  10. Update Content Type file in 7-zip
  11. Create xxe.txt in root directory of your site and put into them this code: 
  12. Upload file.
  13. Fine! You`re watch errors... Open Page Source Code (Ctrl + U)
  14. You`ll see errors 
  15. Decode base64 from this error (From `http://?` to ` in <b>`)
  16. You got php code when you can watch flag named file `flaflaflag.php`
  17. Change in xxe.txt `/var/www/html/index.php` to `/var/www/html/flaflaflag.php` and update them on your site (or file hosting)
  18. Upload your docx again
  19. Decode base64 again
  20. You`re great!

Comments